Ticket: [[!tails_ticket 6560]]

[[!toc levels=2]]

# One possible plan

Goal: avoid the need to disable Secure Boot in the firmware
configuration. Tails should boot out-of-the-box with Secure Boot
enabled, without the user having to do _anything_ special about it.

Means: use the shim signed by Microsoft + GRUB2.

We don't support booting on a custom built kernel, so that should be
relatively easy.

Resources
=========

* Debian's Secure Boot support will be done for GRUB first, unclear if
  other bootloaders will be supported
* Matthew Garrett:
  - [Handling UEFI Secure Boot in smaller distributions](http://mjg59.dreamwidth.org/17542.html)
  - [Secure Boot bootloader for distributions available now](http://mjg59.dreamwidth.org/20303.html)
  - [An overview of Fedora's Secure Boot implementation](http://mjg59.dreamwidth.org/18945.html)
  - [Terse howto for getting a signed shim](http://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183)
* [Ubuntu Privacy Remix](https://www.privacy-cd.org/)'s next release
  (UPR 12.04r1) will support UEFI; a beta is available; they copied
  the solution from Ubuntu 13.10 (beta): the shim bootloader and
  a corresponding GRUB binary which passes secure boot. See their
  [build script](https://www.privacy-cd.org/en/tutorials/build-your-own-cd/79).
* [Managing EFI Boot Loaders for Linux by Rod Smith](http://www.rodsbooks.com/efi-bootloaders/index.html)
* shim is not in Debian yet (2014-01-02)
* [Booting a Self-signed Linux
  Kernel](http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/),
  by Greg Kroah-Hartman
* Linux Foundation's
  [Making UEFI Secure Boot Work With Open Platforms](http://linuxfoundation.org/publications/making-uefi-secure-boot-work-with-open-platforms)
* [ALT Linux' SecureBoot mini HOWTO](http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO) and
  [their](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-copy-efiboot;h=1ca6b0137c7488ae50540b027cf4a541074daba5;hb=HEAD)
  [scripts](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-pack-isoboot;h=85ca988c6aab94e3c44e64519baf2231e39d8d24;hb=HEAD)
